Titanium JIRA Archive
Titanium SDK/CLI (TIMOB)

[TIMOB-16213] CLI: Packaging - CLI should throw a warning if you are using a SHA256withRSA signature keystore when packaging to a non-KitKat device

GitHub Issuen/a
TypeBug
PriorityHigh
StatusClosed
ResolutionFixed
Resolution Date2014-02-05T00:11:02.000+0000
Affected Version/sRelease 3.2.0
Fix Version/s2014 Sprint 03, 2014 Sprint 03 Core, Release 3.2.3, Release 3.3.0
ComponentsCLI
Labelsqe-3.2.0, qe-3.2.0-GA2, qe-closed-3.2.3, qe-testadded
ReporterWilson Luu
AssigneeChris Barber
Created2014-01-17T00:31:22.000+0000
Updated2015-01-26T09:47:54.000+0000

Description

If you try to package an app (from CLI) to a non-KitKat device, then the CLI should throw a warning if you signed the packaged app with a SHA256withRSA signature algorithm keystore. And, indicate to the user to use a SHA1withRSA signature keystore for a non-KitKat device. Java 1.6.X only ships with SHA1withRSA. Java 1.7.X ships with both SHA1withRSA and SHA256withRSA.

Attachments

FileDateSize
foo.jks2014-01-31T01:52:13.000+00004810

Comments

  1. Chris Barber 2014-01-31

    Master pull request: https://github.com/appcelerator/titanium_mobile/pull/5296 3.2.x pull request: https://github.com/appcelerator/titanium_mobile/pull/5297 To test: 1. create an android project 2. download the keystore attachment on this ticket 3. build the app for android using this keystore: ti build -p android -T dist-playstore 4. when prompted, specify the path to the keystore 5. enter the password "123123" 6. select the alias "foo" 7. you should see a warning Next we test when specifying from the command line: 
       ti build -p android -T dist-playstore --keystore /path/to/foo.jks --store-password 123123 --alias foo
    Try a bad alias: 
       ti build -p android -T dist-playstore --keystore /path/to/foo.jks --store-password 123123 --alias blah
    Try building for an Android device running Android 4.3 or OLDER: 
       
    works
    
   ti build -p android -T device --keystore /path/to/foo.jks --store-password 123123 --alias bar
   
   
    works
    
   ti build -p android -T device --keystore /path/to/foo.jks --store-password 123123 --alias baz
   
   
    should warn, then fail during install
    
   ti build -p android -T device --keystore /path/to/foo.jks --store-password 123123 --alias foo
  2. Priya Agarwal 2014-03-26

    Verified the fixed with test environment: Appc Studio:3.2.3.201403250634 Sdk:3.2.3.v20140325145222 alloy:1.3.1 titanium:3.2.3-dev titanium-code-processor:1.1.0 Osx: Windows 8.1,Ubuntu 12.0.4 Device:LG-P970(V4.0.4) Followed the above mentioned test steps and got the expected Result. Hence Closing the issue as fixed.
  3. Ivan Skugor 2015-01-22

    Hi. Can we specify signing algorithm in CLI? If not, why that wasn't implemented? :)
  4. Chris Barber 2015-01-22

    [~ivan.skugor] Nope. It wasn't implemented because we detect and use the actual signature type that the selected cert in the keystore uses. There's no point specifying it.
  5. Ivan Skugor 2015-01-23

    Thanks for answer. I actually have a need to specify signing algorithm. We have one app that we brand for different clients and we use different keystores for each brand. We were unlucky to publish app with keystore that has SHA256 as default signing algorithm (and as far as I know, there's no way to update keystore). I've updated app by manually signing, but it would be handy if I could specify signing algorithm. And I'm not the only one with similar problem: http://www.tidev.io/2013/12/31/gotcha-package-file-was-not-signed-correctly/ Also, IMO it would be more future-proof if algorithm could be specified.
  6. Chris Barber 2015-01-23

    The default signature algorithm is "MD5withRSA". However, this is overwritten by the actual signature found in the keystore for the given alias. Run this: 
       keytool -J-Duser.language=en -list -v -keystore /path/to/keystore.jks -storepass your_password
    Titanium will scan the output and finds the entry for the specified \-\-alias and then parses out the "Signature algorithm name". So why is it not finding the correct signature algorithm? Is the \-\-alias correct? Is the text rendered by keytool not matching?
  7. Ivan Skugor 2015-01-23

    Yes, Titanium finds signature algorithm correctly (SHA256withRSA), but that algorithm has issue with pre-4.4 Android devices (apk can't be installed). When I manually set signature algorithm to SHA1withRSA, it works fine.
  8. Chris Barber 2015-01-23

    How is that possible? Are you manually calling jarsigner? How is that different than what the Android build is currently doing? https://github.com/appcelerator/titanium_mobile/blob/master/android/cli/commands/_build.js#L4095-L4136
  9. Ivan Skugor 2015-01-23

    Yes, I manually call jarsigner (and after that, zipalign), I changed "sigalg" parameter: "-sigalg" "SHA1withRSA" (so, that part is different from what Titanium does). Sorry for confusion.
  10. Chris Barber 2015-01-23

    Oooooooooh. OK, let me escalate and chat with the guys tomorrow. Sit tight. :)
  11. Ivan Skugor 2015-01-23

    Thanks! :)
  12. Michael Gangolf 2015-01-23

    @Ivan: I had the same problem, so I just change the build script Chris posted before so it won't do: var sigalg = this.keystoreAlias.sigalg || 'MD5withRSA', but only: var sigalg = 'MD5withRSA', Then I was sure that I never used the SHA256 and I didn't need to run the scripts manually. But it would be nice to specify the sigalg because I have a new key too and need to compile for old phones and it will always select the 256 by default
  13. Ivan Skugor 2015-01-23

    Michael G, yeah, that could be workaround, but I would still like to have this solved in SDK if possible. :)
  14. Chris Barber 2015-01-23

    [~ivan.skugor] What version of Java are you using? We talked and we think that if you switch to Java 1.7, things should work.
  15. Ivan Skugor 2015-01-23

    I already use 1.7, but it doesn't work with it.
  16. Chris Barber 2015-01-23

    [~ivan.skugor] OK, cool. Ticket created! TIMOB-18441
  17. Ivan Skugor 2015-01-26

    Awesome, thank you. :)

JSON Source